User Authentication.

This page is taken from actual site documentation in support of a ISP/data centre installation. Site names, references and URIs have been been changed to maintain the appearance of full functionality

Kerberos V

 User authentication at rahford.com is provided by kerberos V from the Massachusetts Institute of Technology (MIT).

Kerberos V is a client/server architecture that provides;

  1. strong authentication
  2. data integrity
  3. privacy.
Sun Microsystem's implementation of Kerberos is called the Sun Enterprise Authentication Method (SEAM).

DNS preparation.

During the installation process you will be prompted for the names of a master kerberos domain controller (KDC) and a slave KDC. The KDC host names should be resolvable through DNS.

By convention kerberos domain controllers (KDCs) are called kdc<instance>.

Ideally kerberos servers are run on hardened hosts without any co-resident services.

Due to resources constraints, during phase one at rahford.com the master server will reside on the management server mgmt.rahford.com. The first slave will be run on the name server ns1.rahford.com and local slaves will reside on the the SunRays servers at each POD.

To facilitate resolution of the kdc server names CNAME entries are required in the internal rahford.com DNS. Eg. 

mgmt            IN      A       10.168.51.140
kdc00           IN      CNAME   mgmt
ns1             IN      A       10.168.51.131
kdc01           IN      CNAME   ns1

Installation

 The packages for installing kerberos clients and servers are available on the Solaris 7 Easy Access CD.

To install the master server mount the CD and change to the directory /cdrom/seas_3_0/products/Sun_Enterprise_Authentication_Mechanism_1.0. and run the command "installer". 

  telnet kdc00
  cd /cdrom/seas_3_0/products/Sun_Enterprise_Authentication_Mechanism_1.0
  ./installer

When prompted select a custom install. When prompted for component selection check the 5.7 Kernel Module, the SEAM Client, and the SEAM Master KDC.

When presented with a dialogue box for site configuration the following information will be required. It is not necessary to select a writable destination for the site configuration.

Configuration.

The configuration files for the server are /etc/krb5/krb5.conf and /etc/krb5/kdc.conf.

The source files are kept on the admin server under SCCS control.

  • admin:/usr/local/src/etc/krb5/krb5.conf
  • admin:/usr/local/src/etc/krb5/kdc.conf

    To edit the files logon to the admin server and change to the source directory. Edit the file under SCCS control and create a new delta. Copy the file to the domain controller and restart the kerberos server. eg. 

    	telnet admin.rahford.com
	cd /usr/local/src/etc/krb5
	sccs edit krb5.conf
	vi krb5.conf
	sccs delget krb5.conf
	su 
	rcp krb5.conf kdc00:/etc/krb5/krb5.conf
	rsh pkill -1 -x -u root  krb5.kdc
    The kdc database is created using the kdb5_util(1M). At this stage the master database key is set. The master key name is K/M@RAHFORD.COM. The password selected must be a strong password. Only one written copy of the password should be permitted to exist and should be retained under lock and key in a sealed envelope. Should the envelope be opened at any time the password must be changed.

    The access control list /etc/krb5/kadm5.acl contains all the principal names that are allowed to edit administer the kdc. The source file admin:/usr/local/src/etc/krb5/kadm5.acl should only be edited under SCCS control and then copied to the required server. eg. 

    	telnet admin
	cp /usr/local/src/etc/krb5
	sccs edit kadm5.acl
	vi kadm5.acl
	sccs delget kadm5.acl
	rcp kadm5.acl kdc00:/etc/krb5/kadm5.acl
    Use kadmin.local(1M) to create administration principals.

    C W Fulford - Last change 02/12/17 18:11:44
    @(#) seam.html 1.3@(#)